{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27068", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:23:42.768Z", "datePublished": "2026-03-19T08:42:37.658Z", "dateUpdated": "2026-04-01T16:00:44.056Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "website-llms-txt", "product": "Website LLMs.txt", "vendor": "Ryan Howard", "versions": [{"changes": [{"at": "8.2.7", "status": "unaffected"}], "lessThanOrEqual": "8.2.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "benzdeus | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:44:02.792Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Howard Website LLMs.txt website-llms-txt allows Reflected XSS.<p>This issue affects Website LLMs.txt: from n/a through <= 8.2.6.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Howard Website LLMs.txt website-llms-txt allows Reflected XSS.This issue affects Website LLMs.txt: from n/a through <= 8.2.6."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T16:00:44.056Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/website-llms-txt/vulnerability/wordpress-website-llms-txt-plugin-8-2-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Website LLMs.txt plugin <= 8.2.6 - Reflected Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T13:49:36.391557Z", "id": "CVE-2026-27068", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T13:50:41.247Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27068", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-19T13:49:36.391557Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T13:50:02.766Z"}}], "cna": {"tags": ["x_open-source"], "title": "WordPress Website LLMs.txt plugin <= 8.2.6 - Reflected Cross Site Scripting (XSS) vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "benzdeus | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "CAPEC-591 Reflected XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Ryan Howard", "product": "Website LLMs.txt", "versions": [{"status": "affected", "changes": [{"at": "8.2.7", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "8.2.6"}], "packageName": "website-llms-txt", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update the WordPress Website LLMs.txt plugin to the latest available version (at least 8.2.7).", "supportingMedia": [{"type": "text/html", "value": "Update the WordPress Website LLMs.txt plugin to the latest available version (at least 8.2.7).", "base64": false}]}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/website-llms-txt/vulnerability/wordpress-website-llms-txt-plugin-8-2-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Howard Website LLMs.Txt allows Reflected XSS.This issue affects Website LLMs.Txt: from n/a through 8.2.6.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Howard Website LLMs.Txt allows Reflected XSS.<p>This issue affects Website LLMs.Txt: from n/a through 8.2.6.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-19T08:42:37.658Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27068", "state": "PUBLISHED", "dateUpdated": "2026-03-19T13:50:41.247Z", "dateReserved": "2026-02-17T13:23:42.768Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-19T08:42:37.658Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Howard Website LLMs.txt website-llms-txt allows Reflected XSS.This issue affects Website LLMs.txt: from n/a through <= 8.2.6."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') vulnerabilidad en Ryan Howard Website LLMs.Txt permite XSS Reflejado. Este problema afecta a Website LLMs.Txt: desde n/a hasta 8.2.6."}], "id": "CVE-2026-27068", "lastModified": "2026-04-01T17:28:37.063", "metrics": {}, "published": "2026-03-19T09:16:18.157", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/website-llms-txt/vulnerability/wordpress-website-llms-txt-plugin-8-2-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.2.6]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[8.2.7,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Website LLMs.txt", "source": "cna", "vendor": "Ryan Howard"}, "product": "website_llms.txt", "vendor": "ryan_howard"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T10:20:32.903022+00:00", "value": {"mitigation_remediation": ["Apply the latest plugin version (8.2.7 or newer) to eliminate the reflected XSS issue.", "Verify that the plugin version has been updated and that the website displays the new version number."], "summary": {"action": "Patch Now", "impact": "Cross\u2011Site Scripting (Reflected)"}, "threat_synthesis": {"affected_systems": "The affected product is the Website LLMs.Txt plugin developed by Ryan Howard. All plugin versions from the initial release through version\u202f8.2.6 are impacted. Versions 8.2.7 and newer are not affected.", "description_and_impact": "The vulnerability is an improper neutralization of input during web page generation in the Website LLMs.Txt plugin. An attacker can inject malicious script content that is reflected back in the page response. This allows the execution of arbitrary client\u2011side code in the victim\u2019s browser, potentially facilitating session hijacking, defacement, or theft of sensitive data. The weakness is identified as CWE\u201179.", "risk_and_exploitability": "The CVSS base score is 7.1, indicating a high severity. No EPSS score is provided and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no documented public exploitation yet. The vulnerability is exploitable via a web browser: an attacker can embed a malicious script in a crafted URL or form submission that is reflected in the response sent to a target user. Successful exploitation requires that a user visits the manipulated page, which is a typical cross\u2011site scripting attack scenario."}}}}, "created": "2026-03-20T08:57:00.259469+00:00", "updated": "2026-03-20T14:15:13.238910+00:00", "vendors": ["ryan_howard", "ryan_howard$PRODUCT$website_llms.txt", "wordpress", "wordpress$PRODUCT$wordpress"]}